Your RDP Clipboard will get you compromised

February 7, 2019

Security researches have disclosed a proof of concept which shows how it is possible to compromise clients via RDP. In order to exploit the clients, the attackers make use of vulnerability in the RDP clipboard function.

The environments which are targeted are:

mstsc.exe – Microsoft’s built-in RDP client.

FreeRDP – The most popular and mature open-source RDP client on Github.

As “rdesktop” is the built-in client in Kali-linux, a Linux distro used by red teams for penetration testing, we thought of a 3rd (though probably not practical) attack scenario: Blue teams can install organizational honeypots and attack red teams that try to connect to them through the RDP protocol.

Exploit steps

If a client uses the “Copy & Paste” feature over an RDP connection, a malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer, limited only by the permissions of the client. For example, drop malicious scripts to the client’s “Startup” folder, and after a reboot they will be executed on his computer, giving full control.

The research

The research was performed by Checkpoint, and they have published a full step by step article which explains how it is possible to exploit the RDP sessions via clipboards.